Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Setting up opendkim on ubuntu running postfix.

configuring opendkim with postfix on ubuntu

Replace example.com with your domain. All occurrences of the string 'mail' are know as the selector and can be any alpha numeric string.

Install opendkim:

$ sudo apt-get install opendkim opendkim-tools

Confirm opendkim user was created:

$ grep opendkim /etc/passwd
opendkim:x:111:117::/var/run/opendkim:/bin/false

Make a place for our keys and switch to it:

$ sudo mkdir -p /etc/opendkim/keys/example.com && cd $_

Make the key pair with selector 'mail' and domain 'example.com':

$ sudo opendkim-genkey -t -s mail -d example.com

Let opendkim own the private key:

$ sudo chown opendkim:opendkim mail.private

Display the public record:

$ cat mail.txt
mail._domainkey	IN	TXT	( "v=DKIM1; k=rsa; t=y; "
	  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVdGDSUwQLSPmQcbNPoZzorVZQmU25g8byhVlshY16kp/Nc4vA9CUTNZR8m0P8NJSMnsQ4DgjXSjVYu0pXdj5zjPEV6ik+BKnFxj2Y8BbP+bMm+Ou92yxhNgDT4YwhtBO5ZCauLnoPEz1ygSLRRRc8qiHc99wxiHwU/GNw7f/gTQIDAQAB" )  ; ----- DKIM key mail for example.com

Add the above name and value to a txt record in the dns for example.com (use a low TTL for testing).

See if the record is live:

$ dig +short mail._domainkey.example.com txt
"v=DKIM1\; k=rsa\; t=y\;   p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVdGDSUwQLSPmQcbNPoZzorVZQmU25g8byhVlshY16kp/Nc4vA9CUTNZR8m0P8NJSMnsQ4DgjXSjVYu0pXdj5zjPEV6ik+BKnFxj2Y8BbP+bMm+Ou92yxhNgDT4YwhtBO5ZCauLnoPEz1ygSLRRRc8qiHc99wxiHwU/GNw7f/gTQIDAQAB"

Now verify the public/private key pair:

$ sudo opendkim-testkey -d example.com -s mail -k /etc/opendkim/keys/example.com/mail.private \
&& echo 'valid key pair'

Edit /etc/default/opendkim as root and add default socket for dkim:

SOCKET="inet:8891@localhost"

Edit /etc/opendkim.conf as root:

UserID			opendkim:opendkim
Domain			example.com
KeyFile			/etc/opendkim/keys/example.com/mail.private
Selector		mail
Socket			inet:8891@localhost
Canonicalization	relaxed/simple
OversignHeaders		From

Start the dkim service:

$ sudo service opendkim start
Starting OpenDKIM: opendkim.

Verify that port 8891 is open:

$ netstat -an | grep '127.0.0.1:8891'
tcp        0      0 127.0.0.1:8891          0.0.0.0:*               LISTEN

Edit /etc/postfix/main.cf as root (add near top):

## DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

now restart postfix

sudo service postfix restart

Send a message to yourself and look for the DKIM-Signature header. Then try this service to verify the dkim-sig (and other things): http://www.mail-tester.com/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment